Fail2Ban-Dashboard---NPM/README.md

# F2B Control Center

Fail2Ban + Nginx Proxy Manager in a single Docker container, with a web dashboard for monitoring and managing bans.

Pre-built filters detect bad bots, HTTP error spamming, and exploit probing against NPM logs. Bans are enforced via iptables (DOCKER-USER chain + INPUT), with optional Cloudflare WAF banning on top.

---

## Requirements

- Docker + Docker Compose
- Linux host with iptables support
- `xt_string` kernel module on the host (`modprobe xt_string`)

---

## Quick Start

```bash
git clone https://git.thisisfake.lol/mykey/f2b-control-center
cd f2b-control-center
```

Edit `docker-compose.yml` — at minimum review `SUBNETS_TO_IGNORE`. Then:

```bash
docker compose up -d
```

Dashboard at `http://YOUR_HOST:4000`

On first start the container installs the default Fail2Ban config into a persistent volume and begins monitoring NPM logs immediately.

---

## Configuration

All settings are in `docker-compose.yml`. Required fields are uncommented. Optional features are commented out — uncomment and fill in to enable.

| Variable | Default | Description |
|---|---|---|
| `PORT` | `4000` | Dashboard port |
| `SUBNETS_TO_IGNORE` | RFC1918 ranges | CIDRs excluded from scanning and banning |
| `ABUSEIPDB_API_KEY` | _(optional)_ | Enables threat scoring and auto-ban |
| `CF_EMAIL` | _(optional)_ | Cloudflare account email — enables WAF banning |
| `CF_APIKEY` | _(optional)_ | Cloudflare Global API Key |

---

## Jails

| Jail | Trigger | Ban time |
|---|---|---|
| `badbot` | Known scanner/exploit user-agents | 24h |
| `http-errors` | 15+ 4xx/5xx errors in 5 min | 1h |
| `npm-probe` | Exploit path probing (.env, wp-login, etc.) | 48h |
| `manual-bans` | Manual dashboard or CLI bans | Permanent |
| `recidive` | Repeat offenders (disabled by default) | 7d |

To customise jails:

```bash
docker exec -it f2b-control-center bash
vi /etc/fail2ban/jail.local
fail2ban-client reload
```

---

## How Banning Works

The container uses `network_mode: host` so iptables rules affect the host network stack. Two rules are inserted per ban:

- **DOCKER-USER** — drops forwarded packets where the `X-Forwarded-For` header matches the banned IP (catches traffic routed through Cloudflare/CDN)
- **INPUT** — drops direct connections from the banned IP

Requires `xt_string` on the host:
```bash
modprobe xt_string
# to persist across reboots:
echo xt_string >> /etc/modules
```

---

## Cloudflare WAF

Uncomment and fill in `CF_EMAIL` and `CF_APIKEY` in `docker-compose.yml`. The container detects these on first start and installs the Cloudflare action alongside iptables — no other changes needed.

Get your Global API Key at: https://dash.cloudflare.com/profile/api-tokens

---

## Log Format

Filters expect NPM logs with the real client IP in a `[Client X.X.X.X]` field — the format NPM produces when behind Cloudflare or any proxy that forwards `X-Forwarded-For`.

Test a filter against your logs:
```bash
docker exec f2b-control-center \
  fail2ban-regex /nginx-logs/proxy-host-1_access.log \
  /etc/fail2ban/filter.d/http-errors.conf
```

---

## Useful Commands

```bash
# View logs
docker compose logs -f

# Reload fail2ban config
docker exec f2b-control-center fail2ban-client reload

# Check jail status
docker exec f2b-control-center fail2ban-client status

# Manual ban / unban
docker exec f2b-control-center fail2ban-client set manual-bans banip 1.2.3.4
docker exec f2b-control-center fail2ban-client set manual-bans unbanip 1.2.3.4
```

---

## Volumes

| Volume | Path | Contents |
|---|---|---|
| `f2b-data` | `/data` | Ban history database |
| `f2b-config` | `/etc/fail2ban` | Jail and filter config (survives image updates) |
| bind mount | `/nginx-logs` | NPM log directory (read-only) |

---

## License

MIT